1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

37511 Commits

Author SHA1 Message Date
Stefan Metzmacher
791be84c3e s4:kdc: hdb_samba4_audit() is only called once per request
So we need to restructure the logic a bit.

NOTE: This commit finally works again!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Tue Mar  1 23:28:22 UTC 2022 on sn-devel-184
2022-03-01 23:28:22 +00:00
Andrew Bartlett
c9b0b4bfc4 s4-kdc: Adapt to move from HDB auditing to KDC auditing constants
This is to adapt to:

    commit 6530021f09a5cab631be19a1b5898a0ba6b32f16
    Author: Luke Howard <lukeh@padl.com>
    Date:   Thu Jan 13 14:37:29 2022 +1100

        kdc: move auth event definitions into KDC header

        Move KDC auth event macro definitions out of hdb.h and into a new KDC header,
        kdc-audit.h.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2022-03-01 22:34:35 +00:00
Joseph Sutton
9399a15fab s4:kdc: Adapt to removal of publicly accessible request structure members
We now have to use the accessor functions instead.

This is an adaptation to Heimdal:

commit ec24edf7005c340018450a202d27ca75fcf322d4
Author: Luke Howard <lukeh@padl.com>
Date:   Thu Jan 20 09:15:24 2022 +1100

    kdc: add accessor functions for KDC request structure

    Add accessor functions for use by Samba and other plugin developers.
    Documentation is in kdc/kdc-accessors.h.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:35 +00:00
Joseph Sutton
94d387abd5 s4:kdc: Adapt to hdb_entry_ex removal
Rather than having a 'free_entry' member that can be called to free an
hdb_entry, we now implement the free function in HDB. We perform the
free only if the context pointer is non-NULL.

We also remove the ZERO_STRUCTP() in sdb_entry_to_hdb_entry(), as the
context pointer is now part of the 'hdb_entry' structure itself, and
this would undesirably zero it out.

This is an adaptation to Heimdal commits:

commit c5551775e204d00c7ee8055ab6ddbba7e0590584
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Jan 7 12:15:55 2022 +1100

    hdb: decorate HDB_entry with context member

    Decorate HDB_entry with context and move free_entry callback into HDB structure
    itself. Requires updating hdb_free_entry() signature to include HDB parameter.
    A follow-up commit will consolidate hdb_entry_ex (which has a single hdb_entry
    member) into hdb_entry.

commit 0e8c4ccc6ee0123ea39e53e8917fc3f6bb74e8c8
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Jan 7 12:54:40 2022 +1100

    hdb: eliminate hdb_entry_ex

    Remove hdb_entry_ex and revert to the original design of hdb_entry (except with
    an additional context member in hdb_entry which is managed by the free_entry
    method in HDB).

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:35 +00:00
Joseph Sutton
068f2bf117 s4:kdc: Increment plugin minor version
This is an adaptation to Heimdal:

commit 40e4a4df09c2d6c3ba7bf14df1dee74a0bc18110
Author: Luke Howard <lukeh@padl.com>
Date:   Mon Jan 10 12:50:37 2022 +1100

    kdc: use astgs_request_t for client/server name (TGS)

    Store the client and server principal name from the TGT and request
    (respectively) in the astgs_request_t rather than using local variables.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:35 +00:00
Joseph Sutton
675f913e54 s4:kdc: Explicitly set plugin minor version
This is an adaptation to Heimdal:

commit 7cc4b7a9e624f5eecfbb38607d4cc0870a895671
Author: Luke Howard <lukeh@padl.com>
Date:   Wed Jan 5 13:08:11 2022 +1100

    kdc: KDC plugin API contract notes

    Add some notes about the KDC plugin API contract, and require plugins to
    explicitly indicate which version of the API they support (remove the macro
    alias for the current version).

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:35 +00:00
Joseph Sutton
f234361abe s4:kdc: Adapt to removal of auth audit event types
This is an adaptation to Heimdal:

commit 06f8985c55fcd23e3efe0017ed2480c5b3c4524f
Author: Luke Howard <lukeh@padl.com>
Date:   Wed Jan 5 09:42:03 2022 +1100

    hdb: consolidate preauth audit event types

    Instead of having distinct preauth success/failure events for different
    mechanisms, have a single event; the mechanism can be disambiguated by querying
    the HDB_REQUEST_KV_PA_NAME key.

    Note: there is still an explicit event for long-term key-based success/failure
    in order to help the backend implement lockout.

    Audit failure (HDB_AUTH_EVENT_PREAUTH_FAILED) in the main preauth loop, rather
    than in each mechanism. Success is still audited in the mechanism to allow
    client pre-authentication success to be noted even if something subsequent
    (e.g. encoding a reply, memory allocation) fails. The generic catch-all for
    success remains.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:34 +00:00
Joseph Sutton
83586e8f58 s4:kdc: Rename windc to kdc plugin
This is an adaptation to Heimdal:

commit fcff5933ade652343d7c169659da92fac0e6e0d4
Author: Luke Howard <lukeh@padl.com>
Date:   Mon Jan 3 11:10:18 2022 +1100

    kdc: rename windc to kdc plugin

    Rename the "windc" plugin API to the more general "kdc" plugin API, for two
    reasons: the Heimdal KDC uses the Windows PAC even when not emulating a domain
    controller, and the plugin API has accreted methods that are not specific to
    emulating a domain controller (such as referral_policy and finalize_reply).

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:34 +00:00
Joseph Sutton
a5799cea03 s4:kdc: Add referral policy callback
This is now used instead of a configuration option.

This is an adaption to Heimdal:

commit 3fa47f5a1a422e178d968a8ec0d59889eaa71548
Author: Luke Howard <lukeh@padl.com>
Date:   Sun Jan 2 21:51:43 2022 +1100

    kdc: add referral_policy callback to windc plugin

    Add a referral policy hook to the TGS as a more elegant way of resolving
    referral detection for Samba). The hook can either rewrite the server_princ in
    the request, or it can return an error to disable built-in referral processing.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:34 +00:00
Joseph Sutton
0d37a19281 s4:kdc: Add 'not authorised' auth events
This is an adaptation to Heimdal:

commit d683780b1d728bf8c5b794a1f66842e5a25bd360
Author: Luke Howard <lukeh@padl.com>
Date:   Sat Jan 1 23:44:05 2022 +1100

    kdc: separate PKINIT/GSS authorization failure

    Create a new audit event for PKINIT/GSS authorization (impersonation) failure

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:34 +00:00
Joseph Sutton
7989ef0aa7 s4:kdc: Adapt to removal of auth event details
This is an adaptation to Heimdal:

commit e15e711b13e2fb33f4480a054cba60b6c4c0183b
Author: Luke Howard <lukeh@padl.com>
Date:   Sat Jan 1 18:05:51 2022 +1100

    kdc: remove auth_event_details audit key

    The auth event details audit key (formerly, parameter to auth_status)
    contained, variously, an encryption type name; a PKINIT client certificate
    name; or, a GSS initiator name. Audit these instead using individual keys that
    reflect the values' contents.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:34 +00:00
Joseph Sutton
a2f7987d58 s4:kdc: Refactor HDB API
This is an adaptation to Heimdal:

commit b1dcc1a47485165ada778ef3c3463cfc0779d183
Author: Luke Howard <lukeh@padl.com>
Date:   Fri Dec 31 17:24:58 2021 +1100

    kdc: refactor Samba-specific auditing API in terms of existing API

    Make Samba-specific HDB auth status API a wrapper on the existing auditing API,
    with a view towards unifying the two APIs in a future commit.

    The term "auth status" is replaced with "auth event", and the HDB auth_status
    method is replaced with a more general purpose audit method which has access to
    the entire request structure.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 22:34:34 +00:00
Joseph Sutton
9936038fae s4:kdc: Don't pass empty PAC buffers to krb5_pac_add_buffer()
Heimdal will no longer allow us to pass a dummy zero-length buffer to
krb5_pac_add_buffer(), so we have to pass a buffer of length 1 instead.

This is an adaption to Heimdal:

commit 190263bb7a56fc775b50a6cd0dc91820d2b2e5eb
Author: Jeffrey Altman <jaltman@secure-endpoints.com>
Date:   Wed Jan 19 22:55:33 2022 -0500

    assert non-NULL ptrs before calling mem funcs

    The definitions of memcpy(), memmove(), and memset() state that
    the behaviour is undefined if any of the pointer arguments are
    NULL, and some compilers are known to make use of this to
    optimise away existing NULL checks in the source.

    Change-Id: I489bc256e3eac7ff41d91becb0b43aba73dbb3f9
    Link: https://www.imperialviolet.org/2016/06/26/nonnull.html

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-03-01 17:11:35 +00:00
Stefan Metzmacher
f6fe86924c s4:sam: Don't use talloc_steal for msg attributes in authsam_make_user_info_dc()
This is most likely not a problem for the current callers,
but that it is unexpected and will likely cause problems with future
changes.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14993
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14995

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2022-03-01 17:11:35 +00:00
Ralph Boehme
ffdb1c3e00 CI: add test "smb2.async_dosmode"
Verifies async-dosmode sync fallback works with shadow_copy2 which returns
ENOSYS for SMB_VFS_GET_DOS_ATTRIBUTES_SEND().

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14957

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-02-28 20:01:36 +00:00
Jeremy Allison
ca3896b6f8 s4: torture: Add new SMB2 lease test test_lease_duplicate_open().
Checks we return INVALID_PARAMETER when trying to open a
different file with a duplicate lease key on the same share.

Checked against Windows10. Currently fails against smbd
so add knownfail.d/smb2-lease-duplicateopen

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
2022-02-18 19:12:30 +00:00
Jeremy Allison
bf22548d11 s4: torture: Add new SMB2 lease test test_lease_duplicate_create().
Checks we return INVALID_PARAMETER when trying to create a
new file with a duplicate lease key on the same share.

Checked against Windows10. Samba already passes this
but we didn't have a test before.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14737

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Mulder <dmulder@suse.com>
2022-02-18 19:12:30 +00:00
Martin Schwenke
a7c3213523 source4/torture: Drop unused variable attribute
clang complains:

../../source4/client/client.c:1569:11: error: variable 'attribute' set but not used [-Werror,-Wunused-but-set-variable]
        uint16_t attribute = FILE_ATTRIBUTE_SYSTEM | FILE_ATTRIBUTE_HIDDEN;
                 ^

That is, the variable is initialised and updated but the value is
never used.

Commit 2f377d5101 from 2004 dropped the
use of this variable.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Feb 17 19:06:25 UTC 2022 on sn-devel-184
2022-02-17 19:06:24 +00:00
Martin Schwenke
2b649604ae source4/torture: Drop unused variable mask
clang complains:

../../source4/torture/smb2/notify.c:871:11: error: variable 'mask' set but not used [-Werror,-Wunused-but-set-variable]
        uint32_t mask;
                 ^

That is, the variable is initialised and updated but the value is
never used.

Looks to have been this way since commit
15d93a5d8e from 2009.  Just drop it.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-02-17 18:12:52 +00:00
Martin Schwenke
1ccb187408 source4/torture: Drop unused variable tdif
clang complains:

../../source4/torture/basic/denytest.c:1805:11: error: variable 'tdif' set but not used [-Werror,-Wunused-but-set-variable]
                int64_t tdif;
                        ^

That is, the variable is initialised and updated but the value is
never used.

Perhaps it is meant to be used in the nearby torture_comment() call,
but it has been this was since commit
cb1cff90f1 from 2004.  Just drop it.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-02-17 18:12:52 +00:00
Martin Schwenke
7471afaa1f source4/torture: Avoid unused variable
clang complains:

../../source4/torture/basic/delete.c:2342:7: error: variable 'correct' set but not used [-Werror,-Wunused-but-set-variable]
        bool correct = true;
             ^

That is, the variable is initialised and updated but the value is
never used.  Similar functions return this variable, so try that.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-02-17 18:12:52 +00:00
Martin Schwenke
32d2584c23 util: Drop unused variable num_received
clang complains:

../../source4/libcli/clilist.c:111:6: error: variable 'num_received' set but not used [-Werror,-Wunused-but-set-variable]
        int num_received = 0;
            ^
../../source4/libcli/clilist.c:268:6: error: variable 'num_received' set but not used [-Werror,-Wunused-but-set-variable]
        int num_received = 0;
            ^

That is, the variable is initialised and updated but the value is
never used.

Signed-off-by: Martin Schwenke <martin@meltin.net>
Reviewed-by: Volker Lendecke <vl@samba.org>
2022-02-17 18:12:51 +00:00
Volker Lendecke
c8eb75cca5 torture: Align integer types
finfo.stream_info.out.num_streams is declared as "unsigned int"

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-02-11 20:54:37 +00:00
Volker Lendecke
d717a581ab lib: Fix CID 1465285 Double close
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-02-07 19:00:34 +00:00
Jeremy Allison
0ecc588583 s4: test: Add samba4.libsmbclient.rename test. Currently fails for SMB3.
Add knownfail.d/libsmbclient_rename

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14938

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2022-02-02 20:54:29 +00:00
Volker Lendecke
888275eee2 torture: Align an integer type
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2022-02-01 19:09:34 +00:00
Joseph Sutton
1a5dc817c0 CVE-2022-0336: s4/dsdb/samldb: Don't return early when an SPN is re-added to an object
If an added SPN already exists on an object, we still want to check the
rest of the element values for conflicts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-01-31 15:27:37 +00:00
Andreas Schneider
6063e8016f s4:kdc: Translate HDB flags to SDB flags
We used to have a 1 to 1 mapping, but now we have
a conflict with these:

 #define SDB_F_FORCE_CANON 16384
 #define HDB_F_PRECHECK    16384

We currently don't really care about HDB_F_PRECHECK,
so we can just filter it out.

In the long run we may change the SDB flags space to uint64...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14960

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Jan 28 13:33:22 UTC 2022 on sn-devel-184
2022-01-28 13:33:22 +00:00
Andreas Schneider
2a0d6c1133 s4:kdc: Remove trailing spaces in hdb-samba4.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14960

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-28 12:36:34 +00:00
Andreas Schneider
63e00f81b5 s4:kdc: Add a HDB to SDB mask
For most flags the mapping is 1 to 1, but it's not always
the case anymore.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14960

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-28 12:36:34 +00:00
Douglas Bagnall
309f198226 s4/auth/simple_bind: correctly report TLS state
It went wrong in 366f8cf090

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Volker Lendecke <vl@samba.org>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Jan 26 12:39:52 UTC 2022 on sn-devel-184
2022-01-26 12:39:52 +00:00
Pavel Filipenský
851fc9d60d s4:libnet: Fix uninitialized value "seq_num"
Found by covscan.

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-01-26 11:44:32 +00:00
Pavel Filipenský
dbbad4b500 s4:libnet: Fix trailing whitespace in libnet_vampire.c
Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-01-26 11:44:32 +00:00
Stefan Metzmacher
12464bd4c2 blackbox.ndrdump: fix test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test
This actually reveals that ndr_push_string() for TargetName="" was
failing before because it resulted in 1 byte for a subcontext with
TargetLen=0.

This is fixed now and we no longer expect ndrdump to exit with 1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Jan 24 16:18:34 UTC 2022 on sn-devel-184
2022-01-24 16:18:34 +00:00
Stefan Metzmacher
8da26cb672 s4:torture/ndr: demonstrate the ndr_push_string(STR_NOTERM|REMAINING) of "" is wrong
convert_string_talloc() never returns a string with len=0 and always
implies zero termination byte(s).

For ndr_push_string this is unexpected as we need to be compatible on
the wire and push 0 bytes for an empty string.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-01-24 15:25:36 +00:00
Stefan Metzmacher
1dc385cb64 blackbox.ndrdump: adjust example files to the usage of dump_data_diff output.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-01-24 15:25:36 +00:00
Stefan Metzmacher
9110a8854a blackbox.ndrdump: adjust example files to changed dump_data() output.
The cleanup using dump_data_block16() fixed the space handling.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-01-24 15:25:36 +00:00
Stefan Metzmacher
0651fa474c dcesrv_core: wrap gensec_*() calls in [un]become_root() calls
This is important for the source3/rpc_server code as it might
be called embedded in smbd and may not run as root with access
to our private tdb/ldb files.

Note this is only really needed for 4.15 and older, as
we no longer run the rpc_server embedded in smbd,
but we better be consistent for now.

This should be able to fix the problem the printing no longer works
on Windows 7 with 2021-10 monthly rollup patch (KB5006743).

Windows uses NTLMSSP with privacy at the DCERPC layer on top
of NCACN_NP (smb).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14867

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2022-01-24 15:25:36 +00:00
Björn Jacke
809f4fe2c7 s4:librpc: raise log level for failed connection attempts
this keeps the log files silent when other DCs are currently not running. We
saw frequent NT_STATUS_HOST_UNREACHABLE messages at log level 0 for now.

https://bugzilla.samba.org/show_bug.cgi?id=11537

Signed-off-by: Bjoern Jacke <bjacke@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Sun Jan 23 12:51:44 UTC 2022 on sn-devel-184
2022-01-23 12:51:44 +00:00
Pavel Filipenský
9624e60e8c s4:selftest: plan test suite samba4.blackbox.test_weak_disable_ntlmssp_ldap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14955

Signed-off-by: Pavel Filipenský <pfilipen@redhat.com>
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-21 23:33:36 +00:00
Stefan Metzmacher
7d16a56b9d s4:dsdb/vlv_pagination: fix segfault in vlv_results()
It can happen that the vlv_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Jan 20 10:04:39 UTC 2022 on sn-devel-184
2022-01-20 10:04:39 +00:00
Stefan Metzmacher
19fa22b1fb s4:dsdb/paged_results: fix segfault in paged_results()
It can happen that the paged_results() failes, e.g. due to
LDB_ERR_TIME_LIMIT_EXCEEDED, if that happens we should not
dereference ares->response, if ares is NULL.

We also should not call ldb_module_done() if paged_results()
fails, as it was already called.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14952

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2022-01-20 09:10:28 +00:00
Stefan Metzmacher
7055827b8f HEIMDAL: move code from source4/heimdal* to third_party/heimdal*
This makes it clearer that we always want to do heimdal changes
via the lorikeet-heimdal repository.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>

Autobuild-User(master): Joseph Sutton <jsutton@samba.org>
Autobuild-Date(master): Wed Jan 19 21:41:59 UTC 2022 on sn-devel-184
2022-01-19 21:41:59 +00:00
Joseph Sutton
1954e50f26 s4:torture: Adapt KDC canon test to Heimdal upstream changes
NOTE: This commit finally works again!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Joseph Sutton
a24280dc72 s4:torture: Remove PAC-REQUEST check for RESPONSE_TOO_BIG
Needed by the Heimdal upgrade...

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Joseph Sutton
9eead4853e s4:torture: Fix Orpheus' Lyre tests
The enc-pa-rep request protection allows these tests to now pass as
expected.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Joseph Sutton
b59687a762 s4:torture: Adapt LSA tests to newer Heimdal version
The Heimdal upgrade results in some changes that affect these tests. The
cname is now non-NULL in certain circumstances, the IO counts are
different due to a change between the ordering of capaths and referrals,
some requests no longer fail, and referral tickets are not cached
anymore, and so cannot be checked.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Isaac Boukris
7679d596c5 s4:torture: return ETYPE_INFO2 on PREAUTH_FAILED
This is an alternative to 978bc8681e
which got overriten by the upgrade merge.
One difference however, is that we don't return ENC_TIMESTAMP like
in PREAUTH_REQUIRED but only ETYPE_INFO2 same as Windows.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Isaac Boukris <iboukris@gmail.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Joseph Sutton
0b9c8b9e12 selftest: Expect FAST support for both MIT and Heimdal
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00
Joseph Sutton
64e539bb7f tests/krb5: Add option to check reply padata
So far we have only been checking padata in error replies and with FAST.
We should also check it in the general success case.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2022-01-19 20:50:35 +00:00